Rapid7 Blog

What Makes SIEM Security Alerts Actionable? Automatic Context

POST STATS:

SHARE

Whether you call them alerts, alarms, offenses, or incidents, they’re all worthless without supporting context. A failed login attempt may be completely benign ... unless it happened from an anomalous asset or from a suspicious location. Escalation of a user’s privileges could be due to a special project or job promotion … or because that user’s account was compromised. Many security monitoring tools today generate false positive alerts because they’re only able to report on activity, without taking into account the context in which the activity occurred.

In this post, we’ll explore how security analytics can correlate data across your network and pinpoint real security events, so you can stop wasting precious time on frustrating false positives.

Gather context as data streams in

Can you provide a hard number on how many servers and machines are connected to your corporate network? With your network, preventative measures, and monitoring stack all providing a siloed look at events, it can be overwhelming to say the least. Most SIEM tools or log management tools don’t apply user behavior analytics to these data streams to correlate account behaviors to the entities behind them. This is a problem many security pros run into today: trying to determine whether something is malicious or a misconfiguration can often lead you down a deep rabbit role.

Luckily, there is a way to make your data work for you. Imagine a world in which data streams in from across the network and is then automatically correlated with the users and assets involved. (To see this world in action, check out our InsightIDR interactive product tour.) Instead of one-off events such as a failed login, you could see a timeline of activity across users, assets, and the network to understand what is really happening (like repetitive logins from Russia onto compromised user accounts) so you don’t arrive at an incorrect conclusion.

Most security pros have had their fair share of barking up the wrong tree because of poorly reported data, but once they see activity in context, it not only reduces overhead of parsing through false alerts, but it makes their investigations and response far more fruitful.

Automatic visibility and separation of admin & service accounts from user accounts

Different account types warrant different permission levels and behaviors, and they should be evaluated in this way. What happens on a service account vs. a machine-only service vs. a user account are very different and should not have the same baselines.

InsightIDR automatically tracks admin actions across network, endpoint, and cloud services. If an asset on your network starts taking first time admin actions, that will be surfaced as notable behavior.

This easy account breakdown helps you ask the right questions and enforce the principle of least privilege:

Should this user have these permission levels?

This user is now at a new department; do their privileges still make sense?

This user has left the company; how can we remove them from all accounts ASAP?

With easy access to any user profile and their permissions, you can take action quickly, mitigating the impact of a breach, reducing insider threats, and maintaining full visibility into your network.

Know your most risky users

Every office has them: the click-happy employee particularly vulnerable to phishing attacks, despite repeated security awareness training. Or the traveling employee who is notorious for always operating off the corporate VPN. Then there’s the CFO who has the keys to the kingdom that every attacker wants. If training and preventative measures aren’t enough to prevent these users from getting attacked, you need a way to quickly detect if and when an issue arises.

InsightIDR automatically highlights risky users for you based on past behavior, such as logging in from certain locations, setting poor passwords, and having generated past alerts, such as clicking on a phishing link. It not only shows you who these users are, but you can drill down to see their authentication locations, VPN usage, asset vulns, cloud services, running endpoint processes, and more.

This gives you a better understanding of their behaviors—good and bad—and allows you to retrace user activity with just one search.

Detect malicious behavior on the endpoint

Knowing what is being run on your assets is just as important as knowing risky users in your organization. InsightIDR natively collects endpoint data with our cross-product Insight Agent, which gives you deep asset visibility and real-time detection. Between maintaining the Metasploit project, our 24/7 Security Operations Centers, and thousands of pen test and incident response engagements, we are constantly identifying and investigating new attacker behaviors. Those investigations help us create Attacker Behavior Analytics—tuned behavioral detections that automatically match against your dataset and come with supporting threat intelligence.

Context without the digging

If you want to reliably detect attacks, you need comprehensive data collection backed by ever-evolving security analytics. If you’ve felt the pain of manually parsing log files, or a perplexing, vague alert, you know how quickly it can bring an investigation to a screeching halt. Wouldn’t it be nice to have all this work done for you so that all you have to do is view an alert filled with user, asset, and even attacker context, then jump into action?

You can see this process in more detail with our InsightIDR Interactive Product Tour. If you’re ready to ditch the false positives and deploy in a matter of hours, try our free, guided InsightIDR trial today.